Marcus Hutchins became a hero for stopping the WannaCry attacks despite his troubled past as the teenage hacker who created the dangerous rootkit KRONOS - should a criminal-turned-hero be punished for past crimes? Check it out...
June 28, 2021 |
As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by the New York Times, and has conducted cybersecurity training for many distinguished organizations including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more.
She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
Have you ever been obsessed?
I’m not talking about being really into something. Not “OMG I’m obsessed with K-Pop!” I mean really obsessed. Something that took over your life. You couldn’t stop thinking about it. It had control over you.
It was as a teenager that Albert Gonzalez–one of the few greatest cybercriminals in history–developed the obsession that would go on to ruin his life.
But before all that, he was just an ordinary kid.
Really, his dad was the interesting one in the family. In the early ‘70s, Alberto Gonzalez Sr. built a handmade raft with two friends and used it to try and cross the Carribean. He was two days on the water when an American submarine spotted him in the Florida Strait, and a Coast Guard cutter came to the rescue.
It was a classic immigrant story–coming over with nothing, having to work from the bottom. He moved to Miami, started a landscaping company, and married a fellow Cuban–Maria–in 1977.
Alberto and Maria lived at 32nd Street and 64th Avenue, in a working class neighborhood south of downtown Miami. Their house was small but pretty–with palm trees, flowers, a Spanish-tiled roof, and a driveway out front that awkwardly overlaps with what looks like a half-finished sidewalk. Like many other Cuban emigres, they were politically conservative, churchgoing people.
ALBERT BECOMES OBSESSED
And their son, Albert Jr., was a fine kid–close with his parents and his sister, outgoing with friends, helpful with his father’s landscaping company. He was handsome–tan, skinny, with black hair cut short. His grades were good. And then…
“[Sherri] when he was 12, he bought his first computer.”
A lot of us computer geeks have the same origin story: your first computer, being totally enamored by it, spending all day in your room coding or playing games. Albert liked his computer, yes, but he only became obsessive over it after something unfortunate happened. Something that knocked him onto a different trajectory than you and I.
His new computer contracted a virus.
Alberto Sr. and Maria called in the technician that sold them the machine. But the boy was hardly as sad or scared as you’d expect him to be in that situation. He was frustrated, annoyed, and maybe a little curious. He later recalled, quote: “I had all these questions for him: ‘How do I defend myself from this? Why would someone do this?’”. Albert decided to get to the bottom of this virus thing, and just kept going further and further into the rabbit hole.
At first, it didn’t seem too bad. His family figured he could turn computers into a career, if he really liked them this much. And, as a family friend recalled, quote: “His dad said, ‘It’s better than him getting high or running around with gangs.’” End quote.
But then Albert Jr.’s schoolwork fell away. He had less time for chores and landscaping. His relationships deteriorated, and he became more troublesome in the house. His sister later described how, quote: “He would sit at the computer for hours at a time. He went from being an extroverted and talkative kid to quiet, introverted, and obsessed.” End quote.
It was becoming clear that this computer thing wasn’t just a hobby. It was unhealthy. His mother begged him to see a psychologist, but he wouldn’t. His father even convinced some of his friends in the local police to stage an arrest.
It didn’t work. By 1995, at age 14, Albert was using stolen credit cards from the darkweb to buy video games, albums and shoes.
Oh, and he was part of a group that hacked into NASA.
Now, if this were anything other than the Malicious Life podcast, that would seem like the crazy part of the story. But you’ve heard this one before, right? There were the Australian kids that disrupted a space shuttle launch using the WANK Worm in 1989.
In fact, Albert isn’t even the only teenager from Miami to have hacked NASA in the ‘90s. A few years after Albert did it, a 15 year-old named Jonathan James–who lived an 8 minute drive from Albert’s house, according to Google Maps–would steal safety-critical source code running the International Space Station.
So perhaps what’s most surprising isn’t what Albert did, but how he handled himself next. Because it was shortly thereafter, about halfway into his freshman year, when a couple of nice folks visited the principal’s office at South Miami high school, asking for him. They were employees of the Federal Bureau of Investigation.
They invited Albert Jr., Albert Sr., and their lawyer–a family friend–to the FBI’s office in Miami. An agent sat with the boy and they spoke for over four hours. The FBI wanted to know how he’d pulled it off. The lawyer recalled, quote: “Hours in, the guy pulls us into the hallway and says, ‘This kid is amazing. He’s running circles around me.’” End quote. The agents agreed not to prosecute, if Mr. and Mrs. Gonzalez took away their son’s computer for six months. Albert went back to school.
And you’d think that’d be the end of it. Albert Gonzalez was now in the crosshairs of the FBI. Any reasonable person would quit after that, and get a new hobby. But do you know what Albert did, instead?
Not much different. When he got his computer back, he picked right back up where he’d left off. And by the time he graduated high school he was far more prolific, spending more time devoted to even more serious cyber crimes.
It’s a pattern you’ll notice about him. It’s pathological. At certain points in his story, Albert will face more of these inflection points, these exit doors–alternate paths he could take to make his life vastly better, choices that you and I would take in a second, that really only have one reasonable answer–but he just keeps committing cyber crimes.
And that’s the thing about obsession: even when a big, fat warning sign slaps you in the face, even when there’s a better choice available, it’s just not enough. Because obsession is not logical.
Albert Gonzalez and some of his friends would go on to pull off some of the most remarkable crimes in the history of computers. But they just didn’t know when to stop. If they did, they might have gotten away with it. They might not have ruined their lives.
Or, in one case, ended their life.
Albert’s first cyber crew called themselves the “Keebler Elves,” like the cookies. It was with them that he hacked NASA, and some other high-profile targets, like the home website of the Indian government.
But the Keebler Elves weren’t so much a criminal enterprise as some kids who just wanted to cause trouble. Like, after hacking the Indian government, they did little except proclaim victory and post offensive jokes like, “What’s with the red dot?,” and “Why are your women so ugly?” Not very nice, but not the kind of thing that’s going to cause much damage, either.
It was the same with most of their targets. At 2 AM on a Tuesday in 1999, the Elves hacked the U.S.’ Storm Prediction Center website, replacing the weather data with their own message, in all caps, quote:
“HEH. POWER. LEARN TO FEAR THE ELITE KEEBLER ELVES.”
They also posted more cryptic messages, along with dictionary definitions for the words “elves,” “elite,” hack” and “fear.”
Technicians at the Prediction Center had to do overtime replacing their data from backups, but that was about it. A couple folks vented about just how annoying and pointless it all was to a local paper. Quote:
“There’s nothing destroyed or completely lost. Just a really big headache.”
“[Nate] If you could start off by just briefly introducing yourself.
[Sherri] My name is Sherri Davidoff. I am the CEO of LMG Security and the author of the book “Data Breaches”.”
Sherri’s going to be our interview guest for this mini-series.
“[Sherri] The Keebler Elves demonstrated that they had some power. They would deface websites. That can make you feel really powerful as a teenager. “
Under the name “soupnazi,” the young Albert told ZDNet, quote, “Defacing a site to me is showing the admins [and] government . . . that go to the site that we own them.” End quote.
You can see the appeal, right? How you could get sucked in. I remember feeling small and powerless in high school. Now imagine showing up to first period English class the morning after defeating NASA, or the government of India. You probably won’t be so focused on chapter 6 of To Kill a Mockingbird.
[Sherri] But for Albert it was more than just defacing websites. He also discovered that when he broke into these websites, he often had access to credit cards. That’s where he started to differentiate himself from some of the other hackers who were just doing it for play.
So he started using the credit cards, buying things like clothes and CDs and having them shipped to houses in Miami. He was very good at not only stealing things like credit card numbers but monetizing them, which is not something that every hacker was good at.
Don’t forget–at this point in the story, Albert is still, like, 14 years old.
[Sherri] So he would have that merchandise delivered to unoccupied houses and then during lunch break at school, he would have his friends drive him around to go and pick up his new wares.
Through his teenage years, Albert became increasingly adept at dividing his personality. After NASA, and losing his computer for six months, he picked his grades back up somewhat, and didn’t cause as much trouble in school or at home. But online he was still soupnazi, still an elf.
Albert graduated high school and then enrolled in community college in 1999, but he didn’t even stay a semester. He was more of an autodidact, anyway. He decided to teach himself how to hack ISPs for free broadband, through reading their software manuals.
[Sherri] and again he was doing something that was a little smarter than the average hacker. He would break in. He would get access to their computers and he would learn how the ISP worked.
Quote: “On their computers would always be a huge stash of good information, network diagrams, write ups. I would learn about system architecture. It was as if I was an employee.”
[Sherri] He would understand their processes. He ended up breaking into an ISP in New Jersey. So remember, he’s in Miami. He breaks into an ISP in New Jersey and he ends up convincing them to hire him as part of their security team
Albert cycled through a few different jobs during this period in his life. He moved to the east side of Manhattan, worked for a Dot Com company shortly before they went bust, and Siemens, before they relocated. He moved out to a new job, renting an apartment in the town of Kearny, New Jersey–north of Newark–where things were especially quiet and most of his neighbors were retirees.
It was all rather uneventful, compared with what he was doing after hours. While moonlighting as an IT guy, living amongst the elderly, Albert was active in one of the great hacker forums of history.
[Nate] It’s the early 2000s and you and I are on ShadowCrew.com. What’s it like here?
[Sherri] So Shadow Crew is groundbreaking. It’s like a supermarket for hackers. You can buy and sell credit card numbers. You can get fake IDs. You can get diplomas. You can get whole packages of identities which allow you to commit fraud.
ShadowCrew was a hub of crime but also community, for thousands of cybercriminals worldwide. It was that classic kind of black hat forum that really only could’ve existed back in the days. Really. The web domain was literally www.shadowcrew.com–hardly the dark web, you could get there as easily as you could yahoo.com.
[Sherri] There are also how-tos involving carding forums. You can learn about things outside of stealing information or hacking, things like you can purchase prescription drugs or cocaine.
Or, quote, “how to use a stolen credit card number, forge a driver’s license, defeat a burglar alarm, or silence a gun.”
[Sherri] You can also buy services like distributed denial of service attacks, pay somebody to take down a website. You can pay somebody to take a test for you. So Shadow Crew was pretty much this huge site that was dedicated to crime online.
ShadowCrew was at the heart of a broader shift in cybercrime–from reckless lone hackers defacing NASA.gov for fun to more organized, businesslike cybercriminals doing real damage and making good money off of it. Today we have groups like DarkSide–the people behind the Colonial Pipeline attack–that operate like corporations with their own in-house management, accounting, PR and customer relations personnel. ShadowCrew was like an embryo that spawned all that. Sherri describes in her book, “Data Breaches: Crisis and Opportunity,” how formal and well-organized it all was. Quote:
“Vendors from around the world applied to sell their goods and, once approved, provided “a dizzying array of illicit products and services [. . .] Vendors wishing to sell their products on Shadowcrew were required to go through a formal vetting process. The prospective vendor would send a sample of his or her product to a designated Shadowcrew member, who would evaluate it and write a review. [. . .] One federal prosecutor later referred to Shadowcrew as “an eBay, Monster.com and MySpace for cybercrime.”
“Soupnazi,” now “cumbajohny,” was not just a member but an admin. Far from his days having fun with the Keebler Elves, he was now collaborating with criminals from around the world to steal and monetize over a million stolen credit and debit cards.
Sometimes he did it himself–taking stolen cards, copying the data onto blanks and then feeding them into ATMs. They were called “cash out” trips.
We’re at a Chase bank ATM on the Upper West Side of Manhattan. July, 2003.
[Sherri] He goes in shortly before midnight. Why? Because usually there’s a limit for with – a daily limit for withdrawing money from ATMs. So if he goes there around midnight, he can use all of the cards that he has printed, cash out and then wait until after midnight and use them a second time and get more cash from those accounts.
So his timing is very purposeful. He goes to the ATM wearing this long, black wig. He has got a fake nose ring and he has 70 blank credit and – debit cards on him. So he starts feeding these into an ATM and what he doesn’t know is that there is a plain clothes NYPD detective who’s watching him.
The detective is actually out hunting for car thieves. But once he started seeing this woman feeding cards into an ATM and not leaving, he realizes that something is up.
Albert was brought into an NYPD station. Quickly, news of his arrest reached the office of the U.S. Attorney in New Jersey, and also the Secret Service, who’d been investigating ShadowCrew.
It’s a bit strange, maybe. Why did the people who bodyguard the president care about computer hackers?
[Sherri] So over the years of course as digital crimes emerged, that has evolved into the Secret Service investigating really all kinds of digital financial crimes.
Escorting presidents and investigating hackers. I don’t get it, either, but there you go.
[Sherri] They investigate this type of fraud. But they’re not making a whole lot of progress on it.
So after Gonzalez is caught, he’s debriefed and word gets to the electronic crimes taskforce and they realize that Albert could potentially help them nab other people who are committing the same types of crimes.
They didn’t just want Albert, they wanted ShadowCrew.
And he wasn’t in a position to tell them ‘no.’ They had his computer, with millions of stolen credit cards on it, already in evidence. He later recalled to a New York Times reporter how, quote, “I was 22 years old and scared. When you have a Secret Service agent in your apartment telling you you’ll go away for 20 years, you’ll do anything.”
[Sherri] I think that’s a really poignant quote because again Albert really did care about the community. He didn’t feel good about busting other people. But it’s clear he felt like he was between a rock and a hard place.
I know what I’d do in his position–I’d start squealing like a pig.
[Sherri] At the time he’s also addicted to drugs, cocaine, other drugs. He also smokes. So he’s not in a very good place from a health perspective and he needs more money to support his habits than he has.
The Secret Service handed Albert the kind of deal he couldn’t refuse.
[Sherri] They offered to pay for his living expenses. They helped him work through his withdrawal and in exchange, they wanted him to help them and they also offered to not throw him in jail.
They even proposed a salary of $75,000 a year! Adjusting for inflation, that’s six figures in today’s money. A pretty good job offer even if you’re not on the hook for international cybertheft. Albert wasn’t completely out of his mind, so he accepted their terms.
And that means, if you’re keeping track: the guy who got a job at an ISP by hacking them now landed a job with the government by stealing from millions of people. You’ve got to admit: he stands out from other job candidates.
ALBERT’S NEW JOB
Though it must’ve made for an awkward first day on the job. He certainly didn’t blend in with his coworkers. One Secret Service agent recalled that, quote, “he was extremely thin; he smoked a lot, his clothes were disheveled.”
[Nate] So now they partner up, Albert and the Secret Service. I can’t imagine that it was an immediately good partnership.
[Sherri] I thought it was so interesting you said that because by all accounts, it was – by all accounts, it was an amazing partnership.
Albert was closest with an agent named Michael. Michael told the Times, quote: “In the beginning, he was quiet and reserved, but then he started opening up. He started to trust us. [. . .] He was very respectable, very nice, very calm, very well spoken.”
[Sherri] Albert was an excellent educator. He was very patient. He was very calm. He was very nice. He built friendships with the Secret Service agents. He really opened their eyes and helped them understand his world and how it worked.
It really seemed like Albert was trying to help. Another agent told the New York Times how, quote: “He could be very disarming, if you let your guard down. I was well aware that I was dealing with a master of social engineering and deception. But I never got the impression he was trying to deceive us.” End quote. Albert developed genuine friendships with some of the agents. A couple of his buddies called him “Soup,” after his hacker handle.
And the stability of his new lifestyle started having a positive effect on his well-being. He may have come in extremely thin and disheveled but, quote, “Over time, he gained weight, started cutting his hair shorter and shaving every day. It was having a good effect on his health.” End quote.
In short, Albert had redeemed himself. He’d turned a corner. He no longer had to steal credit cards and deal with the shady underbelly of society.
But the thing about obsession is that it’s illogical. It makes you do things that are against your own interests. You can be presented with perfectly good exits–alternate paths that any reasonable person would take in a second, that really only have one good answer–and still go the wrong way.
Just as it was at 14, at age 20, Albert was given a choice. Two paths–the dark side and the light side. And, for the second time, he went the wrong way.